Information Security Foundation based on ISO/IEC 27002

Transcription

1 Preparation Guide Information Security Foundation based on ISO/IEC Edition March 2015

2 Copyright 2015 EXIN All rights reserved. No part of this publication may be published, reproduced, copied or stored in a data processing system or circulated in any form by print, photo print, microfilm or any other means without written permission by EXIN. Preparation Guide Information Security Foundation based on ISO/IEC (ISFS.EN) 2

3 Content 1. Overview 4 2. Exam requirements 7 3. List of basic concepts Literature 14 33

4 1. Overview EXIN Information Security Foundation Summary Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. (ISO/IEC definition) Information security is gaining importance in the Information Technology (IT) world. Globalization of the economy is leading to an ever-increasing exchange of information between organizations (their employees, customers and suppliers) and an explosion in the use of networked computers and computing devices. The international standard, the Code of Practice for Information Security ISO/IEC 27002:2013 is a widely respected and referenced standard and provides a framework for the organization and management of an information security program. Implementing a program based on this standard will serve an organization well in its goal of meeting many of the requirements faced in today s complex operating environment. A strong understanding of this standard is important to the personal development of every information security professional. In EXIN s Information Security modules the following definition is used: Information Security deals with the definition, implementation, maintenance, compliance and evaluation of a coherent set of controls (measures) which safeguard the availability, integrity and confidentiality of the (manual and automated) information supply. In the module EXIN Information Security Foundation based on ISO/IEC 27002, the basic concepts of information security and their relationships are tested. One of the objectives of this module is to raise the awareness that information is valuable and vulnerable, and to learn which measures are necessary to protect information. The subjects of this module are: Information and security: the concept, the value, the importance and the reliability of information; Threats and risks: the concepts of threat and risk and the relationship with the reliability of information; Approach and organization: the security policy and security organization including the components of the security organization and management of (security) incidents; Measures: the importance of security measures including physical, technical and organizational measures and Legislation and regulations: the importance and impact of legislation and regulations 44

5 Context Qualification program The Certificate EXIN Information Security Foundation based on ISO/IEC is part of the qualification program Information Security. The module is followed up by the Certificates EXIN Information Security Management Advanced based on ISO/IEC and EXIN Information Security Management Expert based on ISO/IEC

6 Target group The examination for EXIN Information Security Foundation based on ISO/IEC is intended for everyone in the organization who is processing information. The module is also suitable for entrepreneurs of small independent businesses for whom some basic knowledge of information security is necessary. This module can be a good start for new information security professionals. Prerequisites none Examination type Computer based multiple-choice questions Indication study load 60 hours In-course assessment Not applicable Time allotted for examination 60 minutes Examination details Number of questions: 40 Pass mark: 65% (26 of 40) Open book/notes: no Electronic equipment permitted: no The Rules and Regulations for EXIN s examinations apply to this exam. Sample questions To prepare for your examination you can download a sample exam at Training Group size The maximum number of course participants is 25. (This does not count for online- or computer based training.) Contact hours The minimum number of contact hours for the course is 7. This number includes group assignments, exam preparation and short coffee breaks. Not included are: homework, the logistics related to the exam session, the exam session and lunch breaks. Training provider A list of accredited training providers may be found on EXIN s website 66

7 2. Exam requirements The exam requirements are specified in the exam specifications. The following table lists the topics of the module (exam requirements). The weight of the different topics in the exam is expressed as a percentage of the total. Exam requirement Exam specification Weight (%) 1 Information and security The concept of information Value of information Reliability aspects 5 2 Threats and risks Threats and risks Relationships between threats, risks and the reliability of information 15 3 Approach and organization Security policy and security organization Components Incident management 5 4 Measures Importance of measures Physical security measures Technical measures Organizational measures 10 5 Legislation and regulation Legislation and regulations 10 Total

8 Exam specifications 1. Information and security (10%) 1.1 The concept of information (2.5%) The candidate understands the concept information Explain the difference between data and information; Describe the storage medium that forms part of the basic infrastructure. 1.2 Value of information (2.5%) The candidate understands the value of information for organizations Describe the value of data/information for organizations; Describe how the value of data/information can influence organizations; Explain how applied information security concepts protect the value of data/information. 1.3 Reliability aspects (5%) The candidate knows the reliability aspects (confidentiality, integrity, availability) of information Name the reliability aspects of information; Describe the reliability aspects of information. 2. Threats and risks (30%) 2.1 Threat and risk (15%) The candidate understands the concepts of threat and risk Explain the concepts threat, risk and risk analysis; Explain the relationship between a threat and a risk; Describe various types of threats; Describe various types of damage; Describe various risk strategies. 2.2 Relationships between threats, risks and the reliability of information. (15%) The candidate understands the relationship between threats, risks and the reliability of information Recognize examples of the various types of threats; Describe the effects that the various types of threats have on information and the processing of information. 88

9 3. Approach and organization (10%) 3.1 Security policy and security organization (2.5%) The candidate has knowledge of the concepts security policy and security organization Outline the objectives and the content of a security policy; Outline the objectives and the content of a security organization. 3.2 Components (2.5%) The candidate knows the various components of the security organization Explain the importance of a code of conduct; Explain the importance of ownership; Name the most important roles in the information security organization. 3.3 Incident Management (5%) The candidate understands the importance of incident management and escalation Summarize how security incidents are reported and what information is required; Give examples of security incidents; Explain the consequences of not reporting security incidents; Explain what an escalation entails (functionally and hierarchically); Describe the effects of escalation within the organization; Explain the incident cycle. 4. Measures (40%) 4.1 Importance of measures (10%) The candidate understands the importance of security measures Describe various ways in which security measures may be structured or arranged; Give examples for each type of security measure; Explain the relationship between risks and security measures; Explain the objective of the classification of information; Describe the effect of classification. 4.2 Physical security measures (10%) The candidate has knowledge of both the set-up and execution of physical security measures Give examples of physical security measures; Describe the risks involved with insufficient physical security measures. 99

10 4.3 Technical measures (10%) The candidate has knowledge of both the set-up and execution of technical security measures Give examples of technical security measures; Describe the risks involved with insufficient technical security measures; Understand the concepts cryptography, digital signature and certificate; Name the three steps for online banking (PC, web site, payment); Name various types of malicious software; Describe the measures that can be used against malicious software. 4.4 Organizational measures (10%) The candidate has knowledge of both the set-up and execution of organizational security measures Give examples of organizational security measures; Describe the dangers and risks involved with insufficient organizational security measures; Describe access security measures such as the segregation of duties and the use of passwords; Describe the principles of access management; Describe the concepts identification, authentication and authorization; Explain the importance to an organization of a well set-up Business Continuity Management; Make clear the importance of conducting exercises. 5. Legislation and regulations (10%) 5.1 Legislation and regulations (10%) The candidate understands the importance and effect of legislation and regulations Explain why legislation and regulations are important for the reliability of information; Give examples of legislation related to information security; Give examples of regulations related to information security; Indicate possible measures that may be taken to fulfill the requirements of legislation and regulations. Comment The security measures are for most staff members the first aspects of information security they encounter. Therefore the measures are central to the module and have the highest weight. The threats and risks follow in terms of weight. Finally, insight in the policy, organization and legislation and regulation in the area of information security is necessary in order to understand the importance of the information security measures. 10

11 3. List of basic concepts This list contains the terms with which candidates should be familiar. Terms are listed in alphabetical order. Access control Asset Audit Authentication Authenticity Authorization Availability Backup Biometrics Botnet Business Continuity Management (BCM) Business Continuity Plan (BCP) Business Assets Category Certificate Change Management Classification (grading) Clear desk policy Code of conduct Code of practice for information security (ISO/IEC 27002:2013) Completeness Compliance Computer criminality legislation Confidentiality Continuity Controls Copyright legislation Corrective Correctness Cryptography Cyber crime Damage Data Detective Digital signature Direct damage Disaster Disaster Recovery Plan (DRP) Encryption Escalation o Functional escalation 11

12 o Hierarchical escalation Exclusivity Hacking Hoax Identification Impact Incident cycle Indirect damage Information Information analysis Information architecture Information management Information security review Information system Infrastructure Integrity Interference ISO/IEC 27001:2013 ISO/IEC 27002:2013 Key Logical access management Managing business assets Maintenance door Malware Non-disclosure agreement Non-repudiation Patch Personal data protection legislation Personal firewall Phishing Precision Preventive Priority Privacy Production factor Public Key Infrastructure (PKI) Public records legislation Qualitative risk analysis Quantitative risk analysis Reductive Redundancy Reliability of information Repressive Risk Risk analysis Risk assessment (Dependency & Vulnerability analysis) o Risk avoiding o Risk bearing Risk management o Risk neutral Risk strategy Robustness Rootkit 12

13 Secret authentication information Security in development Security event Security incident Security measure Security Organization Security Policy Security regulations for the government Segregation of duties Social engineering Spam Spyware Stand-by arrangement Storage medium System acceptance testing Threat Timeliness Trojan Uninterruptible Power Supply (UPS) Urgency User access provisioning Validation Verification Virtual Private Network (VPN) Virus Vulnerability Worm 13

14 4. Literature Exam literature A Hintzbergen, J., Hintzbergen, K., Smulders, A. and Baars, H. Foundations of Information Security Based on ISO and ISO Van Haren Publishing, 3 rd edition, 2015 ISBN ebook Overview of the literature Exam specification Literature 1.1 A: Chapter A: Chapter 3 and A: Chapter 3 and A: Chapter A: Chapter 3 and A: Chapter 3, 5 and A: Chapter 6, 7, 8 and A: Chapter 3, 15 and A: Chapter 3, 8 and A: Chapter 3 and A: Chapter 6, 11 and A: Chapter 3, 6, 9, 17 and A: Chapter 18 14

15 15

16 Contact EXIN